Exploring attacks against PHP applications

Imperva released its September Hacker Intelligence Initiative report which presents an in-depth view of recent attacks against PHP applications, including attacks that involve the PHP “SuperGlobal” parameters, and provides further insight into the nature of hacking activities in general and the implications for the overall integrity of the World Wide Web.

“Because compromised hosts can be used as botnet slaves to attack other servers, exploits against PHP applications can affect the general security and health of the entire Web,” said Amichai Shulman, CTO at Imperva. “The effects of these attacks can be great as the PHP platform is by far the most popular web application development platform, powering more than 80 percent of all websites, including Facebook and Wikipedia. Clearly, it is time for the security community to devote more attention to this issue.”

The report also finds that hackers are increasingly capable of packaging higher levels of sophistication into simpler scripts, and identifies PHP SuperGlobals as a prime target that yields a high return on investment.

The PHP SuperGlobal parameters are gaining popularity within the hacking community because they incorporate multiple security problems into an advanced web threat that can break application logic, compromise servers, and result in fraudulent transactions and data theft.

In one month, Imperva’s research team noted an average of 144 attacks per application that contained attack vectors related to SuperGlobal parameters. Furthermore, researchers witnessed attack campaigns lasting more than five months with request burst floods of up to 90 hits per minute on a single application.

Highlights and recommendations from this report include:

Key exposures in third-party infrastructure demonstrate need for an “opt out” security model. The report found a vulnerability in the very popular PhpMyAdmin (PMA) utility, used to manage MySQL databases in PHP environments. Because it is often bundled with other applications using the popular MySQL Database, having this vulnerable utility present on the server, even if it is not being used by the administrator, exposes the server to code execution attacks, and as a consequence, to full server takeover. Therefore, an “opt out” security model is recommended.

Positive security models are best. Only a positive security mechanism that specifies the allowed parameter names for each resource can prevent an attacker from taking advantage of the external variable manipulation weakness, which gives anyone the ability to send out external parameters with the same name of internal variables, and thus override the value of the latters.

Hackers are sophisticated. Imperva researchers observed that attackers are capable of mounting complex attacks and packaging them into simple-to-use tools. However, while an impressive demonstration of attack strength, the PHP method has pitfalls. An application security solution that can detect and mitigate a single stage of the attack can render the entire attack useless.

SuperGlobal parameters in requests should be blocked. There is no reason for these parameters to be present in requests; therefore, they should be banned.